▲ 7 r/AskNetsec
How do you audit an identity verification vendor's fraud intelligence sharing model at enterprise scale?
Mid-procurement on a new identity verification platform and the question I keep hitting a wall on is this: if the vendor uses fraud signals from one enterprise client to improve detection across their whole network, what does the data architecture look like that prevents that from becoming a cross-client exposure problem?
SOC 2 and ISO 27001 cover the obvious ground. What I want to understand is how the vendor handles fraud intelligence at the network level, what their model update cycle looks like when new attack types emerge, and whether any of that is even auditable from the buyer side.
Just trying to understand what good looks like here and what due diligence security teams are doing beyond the standard certification review.
u/Calm-Exit-4290 — 2 days ago